feat: Add cookie authentication

.env.example

@@ -24,3 +24,5 @@ JOBS_RETENTION_HOURS=24
 
 OTP_EXPIRATION_MINUTES=15
 ENABLE_RATE_LIMIT='true'
+COOKIE_SECRET="secret"
+COOKIE_EXPIRATION_SECONDS=86400 # 24 hours

.github/workflows/node.js.yml

@@ -31,6 +31,8 @@ env:
   JOBS_RETENTION_HOURS: '24'
   OTP_EXPIRATION_MINUTES: '15'
   ENABLE_RATE_LIMIT: 'true'
+  COOKIE_SECRET: 'secret'
+  COOKIE_EXPIRATION_SECONDS: '3600'
 
 jobs:
   build:

.woodpecker/.backend-ci.yml

@@ -23,6 +23,8 @@ x-common: &common
     - JOBS_RETENTION_HOURS=24
     - OTP_EXPIRATION_MINUTES=15
     - ENABLE_RATE_LIMIT=true
+    - COOKIE_SECRET=secret
+    - COOKIE_EXPIRATION_SECONDS=3600
 
 pipeline:
   setup:

package.json

@@ -36,6 +36,7 @@
     "@types/bcryptjs": "^2.4.2",
     "@types/body-parser": "^1.19.2",
     "@types/compression": "^1.7.2",
+    "@types/cookie-parser": "^1.4.6",
     "@types/cors": "^2.8.12",
     "@types/cross-spawn": "^6.0.6",
     "@types/express": "^4.17.13",
@@ -68,6 +69,7 @@
     "bullmq": "^4.13.2",
     "compression": "^1.7.4",
     "concurrently": "^8.2.0",
+    "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "cross-spawn": "^7.0.3",
     "date-fns": "^2.30.0",

src/config/config.ts

@@ -55,6 +55,14 @@ const envVarsSchema = z
         'OTP EXPIRATION TIME must be a number',
       ),
     ENABLE_RATE_LIMIT: z.string(),
+    COOKIE_SECRET: z.string(),
+    COOKIE_EXPIRATION_SECONDS: z
+      .string()
+      .transform((val) => Number(val))
+      .refine(
+        (val) => !Number.isNaN(val),
+        'COOKIE EXPIRATION SECONDS must be a number',
+      ),
   })
   .passthrough();
 
@@ -87,4 +95,6 @@ export const config: Config = {
   redisUsername: envVars.REDIS_USERNAME,
   jobsRetentionHours: envVars.JOBS_RETENTION_HOURS,
   otpExpirationMinutes: envVars.OTP_EXPIRATION_MINUTES,
+  cookieSecret: envVars.COOKIE_SECRET,
+  cookieExpirationSeconds: envVars.COOKIE_EXPIRATION_SECONDS,
 };

src/controllers/auth.ts

@@ -1,5 +1,6 @@
 import httpStatus from 'http-status';
 import { Body, Controller, Post, Request, Route, Security } from 'tsoa';
+
 import { AuthService } from 'services/auth';
 import {
   CreateUserParams,
@@ -8,27 +9,43 @@ import {
   AuthenticatedRequest,
   LoginParams,
 } from 'types';
+import { COOKIE_NAME, cookieConfig } from 'utils/auth';
 
 @Route('v1/auth')
 export class AuthControllerV1 extends Controller {
   @Post('/register')
-  public async register(@Body() user: CreateUserParams): Promise<ReturnAuth> {
-    const authReturn = await AuthService.register(user);
+  public async register(
+    @Body() user: CreateUserParams,
+    @Request() req: AuthenticatedRequest,
+  ): Promise<ReturnAuth | null> {
+    const { sessionId, ...authReturn } = await AuthService.register(user);
+
+    const { res } = req;
+    res?.cookie(COOKIE_NAME, sessionId, cookieConfig);
+
     this.setStatus(httpStatus.CREATED);
     return authReturn;
   }
 
   @Post('/login')
-  public async login(@Body() loginParams: LoginParams): Promise<ReturnAuth> {
-    const authReturn = await AuthService.login(loginParams);
+  public async login(
+    @Body() loginParams: LoginParams,
+    @Request() req: AuthenticatedRequest,
+  ): Promise<ReturnAuth | null> {
+    const { sessionId, ...authReturn } = await AuthService.login(loginParams);
+    const { res } = req;
+    res?.cookie(COOKIE_NAME, sessionId, cookieConfig);
     this.setStatus(httpStatus.OK);
     return authReturn;
   }
 
   @Post('/logout')
+  @Security('cookie')
   @Security('jwt')
   public async logout(@Request() req: AuthenticatedRequest): Promise<void> {
     await AuthService.logout(req.user.token);
+    const { res } = req;
+    res?.clearCookie(COOKIE_NAME);
     this.setStatus(httpStatus.OK);
   }
 

src/controllers/users.ts

@@ -19,11 +19,13 @@ import {
   PasswordResetCodeRequest,
   ResetPassword,
 } from 'types';
+import { COOKIE_NAME } from 'utils/auth';
 
 @Route('v1/users')
 export class UsersControllerV1 extends Controller {
   @Get()
   @Security('jwt')
+  @Security('cookie')
   public async index(): Promise<ReturnUser[]> {
     const users = await UserService.all();
     this.setStatus(httpStatus.OK);
@@ -32,6 +34,7 @@ export class UsersControllerV1 extends Controller {
 
   @Get('/me')
   @Security('jwt')
+  @Security('cookie')
   public async getMe(
     @Request() req: AuthenticatedRequest,
   ): Promise<ReturnUser | null> {
@@ -42,6 +45,7 @@ export class UsersControllerV1 extends Controller {
 
   @Get('{id}')
   @Security('jwt')
+  @Security('cookie')
   public async find(@Path() id: string): Promise<ReturnUser | null> {
     const user = await UserService.find(id);
     this.setStatus(httpStatus.OK);
@@ -50,6 +54,7 @@ export class UsersControllerV1 extends Controller {
 
   @Put('{id}')
   @Security('jwt')
+  @Security('cookie')
   public async update(
     @Path() id: string,
     @Body() requestBody: UpdateUserParams,
@@ -61,8 +66,14 @@ export class UsersControllerV1 extends Controller {
 
   @Delete('{id}')
   @Security('jwt')
-  public async destroy(@Path() id: string): Promise<void> {
+  @Security('cookie')
+  public async destroy(
+    @Path() id: string,
+    @Request() req: AuthenticatedRequest,
+  ): Promise<void> {
+    const { user, res } = req;
     await UserService.destroy(id);
+    if (user.id === id) res?.clearCookie(COOKIE_NAME);
     this.setStatus(httpStatus.NO_CONTENT);
   }
 

src/middlewares/auth.ts

@@ -3,6 +3,7 @@ import jwt from 'jsonwebtoken';
 import { config } from 'config/config';
 import { ApiError } from 'utils/apiError';
 import { errors } from 'config/errors';
+import { verifyCookie } from 'utils/auth';
 
 export function expressAuthentication(
   request: Request,
@@ -32,5 +33,10 @@ export function expressAuthentication(
       });
     });
   }
+  if (securityName === 'cookie') {
+    const { signedCookies } = request;
+
+    return verifyCookie(signedCookies);
+  }
   return Promise.resolve(null);
 }

src/middlewares/index.ts

@@ -2,10 +2,13 @@ import express, { Application } from 'express';
 import helmet from 'helmet';
 import compression from 'compression';
 import cors from 'cors';
+import cookieParser from 'cookie-parser';
+
 import { applyRateLimit } from 'middlewares/rateLimiter';
 import { morganHandlers } from 'config/morgan';
 import { errorConverter, errorHandler } from 'middlewares/error';
 import { Wrapper } from 'types';
+import { config } from 'config/config';
 
 export const preRoutesMiddleware = (app: Application) => {
   // Set security HTTP headers
@@ -30,6 +33,8 @@ export const preRoutesMiddleware = (app: Application) => {
   app.use(morganHandlers.successHandler);
   app.use(morganHandlers.errorHandler);
   app.use(morganHandlers.debugHandler);
+
+  app.use(cookieParser(config.cookieSecret));
 };
 
 // Middleware separated to use our error handler when a route is not found

src/services/auth.ts

@@ -1,6 +1,6 @@
 import * as bcrypt from 'bcryptjs';
 import {
-  ReturnAuth,
+  ReturnAuthService,
   CreateUserParams,
   LoginParams,
   RefreshTokenParams,
@@ -12,7 +12,9 @@ import { generateAccessToken, generateRefreshToken } from 'utils/token';
 import { UserService } from '.';
 
 export class AuthService {
-  static register = async (userBody: CreateUserParams): Promise<ReturnAuth> => {
+  static register = async (
+    userBody: CreateUserParams,
+  ): Promise<ReturnAuthService> => {
     const user = await UserService.create(userBody);
     const accessToken = await generateAccessToken(user);
     const refreshToken = await generateRefreshToken(user);
@@ -21,14 +23,17 @@ export class AuthService {
       accessToken,
       refreshToken,
     };
-    await prisma.session.create({ data: sessionData });
+    const session = await prisma.session.create({ data: sessionData });
     return {
+      sessionId: session.id,
       accessToken,
       refreshToken,
     };
   };
 
-  static login = async (loginParams: LoginParams): Promise<ReturnAuth> => {
+  static login = async (
+    loginParams: LoginParams,
+  ): Promise<ReturnAuthService> => {
     const { email, password } = loginParams;
     const user = await prisma.user.findUnique({ where: { email } });
     if (!user) {
@@ -39,7 +44,7 @@ export class AuthService {
     if (!isPasswordValid) {
       throw new ApiError(errors.INVALID_CREDENTIALS);
     }
-    const session = await prisma.session.findUnique({
+    let session = await prisma.session.findUnique({
       where: { userId: user.id },
     });
     const accessToken = await generateAccessToken(user);
@@ -49,6 +54,7 @@ export class AuthService {
         data: { accessToken },
       });
       return {
+        sessionId: session.id,
         accessToken,
         refreshToken: session.refreshToken,
       };
@@ -60,8 +66,9 @@ export class AuthService {
       accessToken,
       refreshToken,
     };
-    await prisma.session.create({ data: sessionData });
+    session = await prisma.session.create({ data: sessionData });
     return {
+      sessionId: session.id,
       accessToken,
       refreshToken,
     };
@@ -73,7 +80,7 @@ export class AuthService {
 
   static refresh = async (
     refreshTokenParams: RefreshTokenParams,
-  ): Promise<ReturnAuth> => {
+  ): Promise<ReturnAuthService> => {
     const { refreshToken } = refreshTokenParams;
     const session = await prisma.session.findUnique({
       where: { refreshToken },
@@ -94,6 +101,7 @@ export class AuthService {
       data: { accessToken },
     });
     return {
+      sessionId: session.id,
       accessToken,
       refreshToken,
     };